[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS on W2K



Hi, I've added in my client program the following: rc = ldap_pvt_tls_set_option(NULL, = LDAP_OPT_X_TLS_CERTFILE, "C:\\LDAP\\cl_cert.pem"); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, = "Error Setting CERTFILE [%d]...\n", rc); return(0); = } rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "C:\\LDAP\\cl_sk.pem"); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, = "Error Setting CERTFILE [%d]...\n", rc); return(0); = } in the slapd.conf #Enable = TLS/SSL TLSCertificateFile /home/gvm/CA/users/ld_cert.pem TLSCertificateKeyFile /home/gvm/CA/users/ld_sk.pem TLSCACertificateFile /home/gvm/CA/cacert.pem TLSVerifyClient   1 And everything seems to work!!!! ======> is it not = needed to specify the CA certificate at client side (to verify the servers certificate?) ======> but do you know where these 2 lines are = coming from? TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: = SSL_accept:error in SSLv3 read client certificate = A ======> and: connection_read(10): input error=-2 id=0, = closing. ======> Does anyone has a clear descriptionn of = TLS ======> Can you combine the clients certificate with an ACL? Regards, slapd starting connection_get(10): got connid=0 connection_read(10): = checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 29 contents: do_extended ber_scanf fmt ({a) ber: ber_get_next ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable) send_ldap_extended 0: = (0) send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd = 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS = trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 = read client hello A TLS trace: SSL_accept:SSLv3 write server hello = A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 = write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS = trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate = A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS = certificate verification: depth: 1, subject: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert Van Muylem/Email=GVM@HighSig= n.BE, issuer: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert = Van Muylem/Email=GVM@HighSig= n.BE TLS certificate verification: depth: 0, subject: /C=BE/ST=Antwerpen/O=HighSign/CN=Client, issuer: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert Van Muylem/Email=GVM@HighSig= n.BE TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: = SSL_accept:error in SSLv3 read client key exchange A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS = trace: SSL_accept:SSLv3 read client key exchange A TLS trace: = SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished = A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_get(10): got connid=0 connection_read(10): = checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: do_unbind ber_get_next ber_get_next on fd 10 failed = errno=104 (Connection reset by peer) connection_read(10): input error=-2 = id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: deferring conn=0 = sd=10 connection_resched: reaquiring locks conn=0 sd=10 connection_resched: attempting = closing conn=0 sd=10 connection_close: conn=0 sd=10 -----Original Message----- From: Chapman, Kyle [mailto:Kyle_Chapman@G1.com] Sent: woensdag 29 augustus 2001 = 2:37 To: 'Geert Van Muylem ' Subject: RE: TLS on W2K yes, i think it can... try this first and see what it does ldap_pvt_tls_set_option(ld,LDAP_OPT_X_TLS_REQUIRE_CERT,"true") you can also use: LDAP_OPT_X_TLS_CACERFILE, LDAP_OPT_X_TLS_CACERTDIR, LDAP_OPT_X_TLS_CERTFILE, LDAP_OPT_X_TLS_KEYFILE, but i havent done what you are trying to = do... -----Original Message----- From: Geert Van Muylem To: Chapman, Kyle Sent: 8/28/01 8:06 PM Subject: RE: = TLS on W2K Thanks, It seems to work now! Is there = somewhere a description on how all these things are working? And perhaps my most = important questions: Can OpenLDAP be used to do Certificate-based client authentication? Until now the client didn't send its certificate to the server to identify itself. If it's possible: = how do we need to set up things? thanks again!!!!! Your help is really appreciated! Geert -----Original Message----- From: Chapman, Kyle [mailto:Kyle_Chapman@G1.com] Sent: woensdag 29 augustus 2001 1:30 To: 'Geert Van Muylem ' Subject: = RE: TLS on W2K can you do nslookup or ping dragon.doom.be? if = not put the entry in the hosts file on your linux = and win2k box -----Original Message----- From: Geert Van Muylem To: Chapman, Kyle Sent: 8/28/01 9:29 PM Subject: RE: = TLS on W2K Hi, I've created a new certificate for my ldap server: CN = dragon.doom.be O = HighSign S = Antwerpen C = BE where cn=dragon.doom.be with dragon = hostname and Domain name = doom.be (These are my linux network settings) I've still got the same errors: what are the following lines: TLS trace: SSL_accept:error in SSLv3 read client = certificate A TLS trace: SSL_accept:error in SSLv3 read = client certificate A gvm@dragon < mailto:gvm@dragon > :~ > = ldssld Password: @(#) = $OpenLDAP: slapd 2.0.11-Release (Mon Aug 13 23:12:15 CEST 2001) $ gvm@linux:/home/gvm/LDAP/OpenLDAP/openldap-2.0.11/servers/slapd < <> > daemon_init: listen on ldap:// daemon_init: listen on ldaps:// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap://) daemon: socket() failed errno=97 (Address = family not supported by protocol) daemon: initialized ldap:// ldap_url_parse_ext(ldaps://) daemon: socket() failed errno=97 (Address = family not supported by protocol) daemon: initialized ldaps:// daemon_init: 2 = listeners opened slapd init: initiated server. Enter PEM pass phrase: slapd = startup: initiated. slapd starting connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 = len 29 contents: do_extended ber_scanf fmt ({a) ber: ber_get_next ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable) send_ldap_extended 0: (0) send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate = A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS = trace: SSL_accept:SSLv3 flush data connection_get(10): got connid=0 connection_read(10): checking for = "" on id=0 ber_get_next ber_get_next on fd 10 failed errno=104 (Connection reset by peer) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 -----Original Message----- From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com= = ] Sent: woensdag 29 augustus 2001 0:11 To: 'Geert.Van.Muylem@SKYNET.BE' Subject: RE: TLS on W2K the common name should be: ldapserver.domain.name where = domain.name is your domain name... it it was us it would be: ldapserver.g1.com you shouldnt need client certificates -----Original Message----- From: Geert Van Muylem [ mailto:Geert.Van.Muylem@SKYNET= .BE ] Sent: Tuesday, August 28, 2001 6:00 PM To: Chapman, Kyle Subject: RE: TLS on W2K with ssl certificate you mean the certificate for = "" LDAP Server which is in my case cn=LDAP Server Can you = give me an example (i'm lost...) -----Original Message----- From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com= = ] Sent: dinsdag 28 augustus 2001 23:42 To: 'Geert.Van.Muylem@skynet.be' Subject: RE: TLS on W2K when you created the ssl certificate, it asked you = for a common name... you should make sure it is: . and that = any machine , including the ldap server itself, can = resolve the hostname/domain combo -----Original Message----- From: Geert Van Muylem [ mailto:Geert.Van.Muylem@skynet= .be ] Sent: Tuesday, August 28, 2001 5:45 PM To: Chapman, Kyle Subject: RE: TLS on W2K Thanks Kyle, but can you be a bit more specific? I do not fully understand! BTW This is my Servers = certificate (DER) CN = LDAP Server, O = HighSign, S = = Antwerpen,C = BE -----Original Message----- From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com= = ] Sent: dinsdag 28 augustus 2001 23:26 To: 'Geert.Van.Muylem@skynet.be' Subject: RE: TLS on W2K the -2 error.. make sure the ssl cert's CN or common name you = entered is the FQDN of the ldapserver... -----Original Message----- From: Geert Van Muylem [ mailto:Geert.Van.Muylem@skynet= .be < mailto:Geert.Van.Muylem@skynet= .be > ] Sent: Tuesday, = August 28, 2001 5:21 PM To: LDAP Mailing List Subject: TLS on W2K Dear All, Why do I get the following error (0x52)? (Platform: Client = W2K, Server = Linux) START_TLS [Local error][0x52]... ldap_start_tls: Success => Debug output from Server: connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 = len 29 contents: do_extended ber_scanf fmt ({a) ber: ber_get_next ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable) send_ldap_extended 0: (0) send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate = A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS = trace: SSL_accept:SSLv3 flush data connection_get(10): got connid=0 connection_read(10): checking for = "" on id=0 ber_get_next ber_get_next on fd 10 failed errno=104 (Connection reset by peer) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10 => Server slapd.conf #Enable TLS/SSL TLSCertificateFile /home/gvm/CA/users/ldapcert.pem TLSCertificateKeyFile /home/gvm/CA/users/ldap.pem TLSCACertificateFile /home/gvm/CA/cacert.pem => Client code printf ("INIT...\n"); ld = ldap_init("192.168.0.49", 389); = if( ld == NULL ) { printf ("Init Error...\n"); return(1); } if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) != LDAP_OPT_SUCCESS ) { fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", version ); return 1; } rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, "FILE.RND"); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "Error = Setting option [%d]...\n", rc); } if ( (rc = ldap_start_tls_s( ld, = NULL, NULL )) != LDAP_SUCCESS ) { fprintf( stderr, "START_TLS [%s][0x%02X]...\n", ldap_err2string(rc), rc); ldap_perror( ld, = "ldap_start_tls"); } return(0); <>